In an unfortunate twist, as City of Detroit employees struggle with a city in bankruptcy, they have just learned that many of them have had their personal information exposed. On March 3, 2014, the City of Detroit announced that it recently experienced a data breach involving files that contained personally identifiable information of a large number of city employees. The city also stated that it is taking “significant measures” to inform affected employees of the breach.

Yesterday at 11:00 a.m. City of Detroit chief information officer Beth Niblock made a public disclosure regarding the breach. Ms. Niblock indicated that about 1,700 Detroit fire and EMS employees were affected when a malware virus locked numerous files on February 8, 2014, two of which contained employees’ personally identifiable information. The malware likely infected the city’s database when an employee clicked on a link contained in a phishing email. Interestingly, Ms. Niblock made it quite clear that the city does not believe that any of the files were accessed by the hackers.

Detroit suspects the email was sent by hackers in a foreign country, but the city is working with a forensic team and law enforcement to pinpoint the source. Ms. Niblock said the city will require its employees to take cybersecurity training, but she also warned that everyone is susceptible to these types of breaches and, really, “the only safe computer is the one that’s turned off and unplugged.” Detroit will be notifying affected employees by letter and the city will be offering a credit monitoring service and identity theft service, according to Ms. Niblock.

Preparation is critical

There is no question that time is of the essence when a data breach occurs. However, it is just as critical, if not more so, to understand the facts and the law concerning the breach prior to informing the public.

The takeaway is as follows: Be prepared; have a plan; work with professionals that do this every day; understand applicable law; and gather critical facts so that appropriate decisions can be made. The Data Privacy and Cybersecurity team at McDonald Hopkins helps clients reduce your exposure while navigating the data breach maze.

For more information, please contact one of the attorneys listed below.